The detailed discussion of sandboxing technologies thus far in our advanced threat myth-busting series has been purposeful. Much of the “heavy lifting” associated with advanced threats will be done by sandboxing techniques, so it’s important to understand these technologies and their limits.
As we’ve noted already, sandboxing is great for isolating suspicious files and analyzing them in detail. The very best sandbox technologies use multi-engine behavioral analysis to quickly determine what the exploit is intended to do and where it was targeted to go.
We’ve also noted that sandboxes have some limitations. They don’t catch all malware – or even all advanced malware. Additionally, there are multiple ways to foil some sandbox environments.
While it’s easy to continue down this path of focusing mostly on sandboxing technologies, it’s also important at this point to step back and re-evaluate the role of endpoint protection technologies as part of the integrated solution to advanced threats.
It’s often assumed, for example, that traditional signature-based approaches are simply not part of the advanced malware equation. This could not be more wrong.
I speak with hundreds of customers every year, and nobody is tearing endpoint protection out of their security architectures.
Clearly, many advanced malware types are by definition zero-day attacks, and signature-based technologies are only as good as their last update. But updates are frequent, and signature-based systems can and do isolate files as suspicious or unknown. In fact, this is how most malware gets tracked into sandboxes in the first place.
So it stands to reason that signature-based technologies are not only important, but key to isolating and dealing with advanced malware.
Another compelling strength of signature-based approaches is that they operate in real time and are capable of taking a suspected file out of the stream completely. This is not true with sandboxes, which merely isolate a copy of the suspected file, while the original continues on its way.
In this sense, signature-based technologies have little overhead and are extremely efficient by comparison. They’re also very accurate with typically high hit rates and few false positives. This dramatically decreases the load on more advanced malware technologies, which is key to maintaining the efficiency and cost control of the overall environment.
So while their role in the malware equation may be perceived as changing, established endpoint protection approaches are not fading into the background. They are a critical technology in an integrated advanced malware solution. They can find and block malware in real time, they can track suspicious or unknown files into sandboxing solutions, and they can increase the overall efficiency of the advanced malware defense environment.